WannaCry coda: Have you disabled SMBv1?

2017-06-07T19:37:39
ID RAPID7COMMUNITY:CA655291AB4C27DA71FE3C88B193DB7A
Type rapid7community
Reporter Ken Mizota
Modified 2017-06-07T19:37:39

Description

<!-- [DocumentBodyStart:580912b0-df32-4930-ba1a-4f053d723348] --><div class="jive-rendered-content"><p>By now, if you're reading this blog, you probably have read about WannaCry. If not, please take a moment to review:</p><ul><li><span><a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7869" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained">Wanna Decryptor (WNCRY) Ransomware Explained</a> </span></li><li><span style="color: #1155cc; font-size: 11pt; font-family: Arial;"><span><a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7871" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/05/15/using-threat-intelligence-to-mitigate-wanna-decryptor-wncry">Using Threat Intelligence to Mitigate Wanna Decryptor (WannaCry) </a> </span></span></li><li><span style="color: #1155cc; font-size: 11pt; font-family: Arial;"><span><span><a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7874" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/05/16/update-on-wannacry-vulnerable-smb-shares-are-widely-deployed-and-people-are-scanning-for-them">WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them</a> </span></span></span></li><li><span style="color: #1155cc; font-size: 11pt; font-family: Arial;"><span><span><span><a class="jive-link-blog-small" data-containerId="1004" data-containerType="37" data-objectId="7866" data-objectType="38" href="https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose">Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose</a> </span></span></span></span></li></ul><p>With many organizations now taking heed of <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Ffilecab%2F2016%2F09%2F16%2Fstop-using-smb1%2F" rel="nofollow" target="blank">Microsoft's advice </a>to disable SMBv1, Rapid7 customers have asked: How does this affect my scan capabilities?</p><p style="min-height: 8pt; padding: 0px;"> </p><p><strong>Tl;dr </strong>If your assets have Windows Management Interface (WMI) enabled and the Windows Management Instrumentation firewall rules enabled, the Scan Engine will use SMB/CIFS credentials to authenticate via WMI. If your assets are not part of a domain and the Scan Engine is not on the same subnet as the assets, the WMI firewall rules need to be updated to permit messages from the Scan Engine.  </p><p style="min-height: 8pt; padding: 0px;"> </p><p>Read <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Faa822854%28v%3Dvs.85%29.aspx" rel="nofollow" target="_blank">this MSDN article</a> to learn how to setup remote WMI connections and configure Windows Firewall Remote Management.</p><p style="min-height: 8pt; padding: 0px;"> </p><h2>Checking your configuration</h2><p>You can verify if you are using SMB credentials in InsightVM by navigating to <strong>Administration</strong> > <strong>Shared Credentials</strong>. You may have a Shared Credential that looks like this:</p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: #000000; font-size: 11pt; font-family: Arial;"><a href="https://lh6.googleusercontent.com/V0z-AuPo7mPBdjix1NA7SpVMwoYr-Xsxdo1-_kvtNcXZ3fI-yAcE8CwX-p71YuQWTLCh0wP28lrjH8x-8uddJoSy4-Y3ekMZme6mIzGWGfh2CA-7cBgVNR2js_asriPiAJTQdwc"><img class="jive-image" height="319" src="https://lh6.googleusercontent.com/V0z-AuPo7mPBdjix1NA7SpVMwoYr-Xsxdo1-kvtNcXZ3fI-yAcE8CwX-p71YuQWTLCh0wP28lrjH8x-8uddJoSy4-Y3ekMZme6mIzGWGfh2CA-7cBgVNR2js_asriPiAJTQdwc" style="border-style: none;" width="483"/></a></span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span>If your organization has disabled SMBv1 on your asset you can use your existing SMB credential. You'll want to configure InsightVM to scan port 135, so first verify your Scan Template(s).</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span>Navigate to <strong>Administration</strong> > <strong>Scan Templates</strong>. Select a Scan Template and review the Service Discovery tab. </span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: #000000; font-size: 11pt; font-family: Arial;"><a href="https://lh4.googleusercontent.com/xGaDJrPk1kTVUD301JSXyxePuLQ3URdTouxT0QEWSNuTyhYi7esqjhM4YI3xQqS7RBNDAw3B_pNPw4og_vVWiVRYwC8y7QqfNy0_FtXlJMIHUjCZV1JfPm1oxN5n4nFtJa5hxrv5"><img class="jive-image" height="274" src="https://lh4.googleusercontent.com/xGaDJrPk1kTVUD301JSXyxePuLQ3URdTouxT0QEWSNuTyhYi7esqjhM4YI3xQqS7RBNDAw3B_pNPw4og_vVWiVRYwC8y7QqfNy0_FtXlJMIHUjCZV1JfPm1oxN5n4nFtJa5hxrv5" style="border-style: none;" width="488"/></a></span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span>Take a look at the <strong>Additional ports</strong> field. Our example above has a range that includes port 135 and yours should too. </span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span>In summary: </span></p><ol><li>Setup <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Faa822854%28v%3Dvs.85%29.aspx" rel="nofollow" target="_blank">WMI for remote connections and </a><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Faa822854%28v%3Dvs.85%29.aspx" rel="nofollow" target="_blank">enable WMI traffic through Windows Firewall</a></li><li><span>Make sure your Scan Template includes port 135. </span></li></ol></div><!-- [DocumentBodyEnd:580912b0-df32-4930-ba1a-4f053d723348] -->